spammer

Rumors have been going around that the CAPTCHA system used by Gmail, Yahoo and Microsoft has been broken. “CAPTCHA” stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” Since you are reading this online, the odds are that you have encountered CAPTCHAS. They are those annoying twisted text tests that you have to pass to do things like get a Gmail account or leave comments on some sites.

These tests were designed to provide some measure of defense against spammers, scammers and other such folks. This defense works in the following manner: to get (for example) a Gmail account, you have to recognized a distorted set of letters and/or numbers and type them into a text field. Computers are supposed to be unable to recognize the distorted text, thus preventing spammers from automatically creating large numbers of accounts. They can, of course, create accounts manually, but this would be a losing proposition because of the amount of time required to do this.

It was, of course, just a matter of time before the CAPTCHA system was broken (again). After all, solving a CAPTCHA is simply an exercise in character recognition and software to do this has been around for quite some time. Breaking the CAPTCHA system is just a matter of having software that automates the process of creating accounts and includes (or has access to) the capacity to recognize distorted text.

Some might wonder why people would put so much effort into breaking CAPTCHAs in order to get email accounts that are free. The reasons are, of course, spam and scam. In the war on spam and scam, ISPs and filtering software have gotten very good at blocking known spam and scam domains. However, Gmail, Yahoo, and Hotmail addresses are considered legitimate email addresses and are not blocked based on their domain (though they can be blocked based on their content or subject). Since spam works on the basis of pure volume, spammers need as many email addresses as they can get. Also, once they use an address it can be recognized and blocked. Hence, spammers also need to constantly replace their email addresses.

This need has led to a black market industry in email accounts. Hackers break the CAPTCHAs and generate thousands of email accounts. They then sell them to the spammers and scammers. They even offer a discount for purchasing in bulk.

Of course, those who fight back against the hackers, spammers and scammers are not sitting still. New defenses will be developed and then countered and so on.

The problem that the defenders face is an age old one. Any defense must allow legitimate access while keeping out illegitimate access. For example, a castle has to keep out the enemy while allowing friendlies to enter (and leave). Of course, sorting out the friendlies from the foes can be a challenging thing.

The CAPTCHA was intended to provide a test that only an intelligent being could pass easily (hence the Turning test reference). A Turing test (which actually just duplicates a test presented by Descartes centuries before) is intended to discern between intelligent and non-intelligent systems. The original test was a conversational one: if you could not discern between a human (presumably intelligent) and a computer while communicating with them, then the computer would pass the Turing test and be considered intelligent. The CAPTCHA test obviously is not really much of a Turing test, unless the ability to sort out and recognize symbols in this manner is a sufficient condition for intelligence (which it certainly is not).

The basic idea behind the CAPTCHA remains sound, however. A quick and automatic test that can discern a person from a computer program is a useful defense. The challenge is, of course, to devise a test that is quick (so as to avoid annoying people) and automatic (to keep costs down) that cannot be reliably passed by computer (or at least the sort of computer software and hardware available to the hackers).

One test that has potential is the use of images. Humans are good at image recognition. For example, a typical human would easily discern a picture of a cat from that of a dog. While image recognition software does exist, it does not approach the capabilities of human beings.

Another test I’ve seen is like the ones I recall on the SAT. The test will say something like “A cat is to a kitten like” and ask for a proper match (“A baby is to a man/woman”). The idea is that the test requires some degree if intelligence. The downside is that, like the SAT, some people might get the answers wrong. Another problem is that software might be designed to recognize commonly used questions, thus requiring sites to have vast numbers of questions on hand. Of course, any multiple choice option can be overcome by repetition: a program can be set to randomly select answers and some of them will be correct, thus beating the defense.

Another test is to use a method that was used as copy protection in some old games. To play such a game you would have to correctly answer a question such as “what is the fifth word on page 6 of the game manual?” This sort of defense could be used, but it does have the weakness of being subject to the brute force attack method.

A puzzle test could also be used that is simple, but requires intelligence. For example, a test might require the assembly of a potted plant using three pieces (pot, stem, and a flower). A human would do this easily, while a program would not. Naturally, numerous puzzles would be needed to prevent the hackers from having it too easy. Of course, this approach can also be countered by pure brute force.

Overall, the challenge is to find a quick, simple and reliable means of distinguishing a person from a program. The challenge for the hacker is to find a way to beat that defense-either by brute force or by clever programming. It would be somewhat ironic if hackers solved the problem of artificial intelligence before the legitimate researchers cracked it.